• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • comming soon
  • T2-24–01–S–N–CL

  • SMBGhost (CVE-2020-0796)

    A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

    This vulnerability may affect all users with SMB enabled in Microsoft Windows 10 versions 1903 and 1909 and Windows Server versions 1903 and 1909. To avoid this, disable SMB compression and block port 445.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker Windows 11 192.168.56.1 - 112 sec 140 sec
    Victim Windows 10(1903) 192.168.56.113 SMB

  • Installing
  • python3 -m pip install -r requirements.txt

  • Using
  • ※ The instability of POC may cause intermittent remote connection fail.

    python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2024_01_T2_{time}.pcap # YYmmdd_HHMMSS


  • References
  • [1] NIST [CVE-2020-0796]
    [2] ZecOps [CVE-2020-0796 Remote Code Execution POC]

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2024
    • T1-24–01–S–N–CL
    • T2-24–01–S–N–CL
    • T3-24–01–S–N–CL
    • T4-24–01–S–E–M
    • T5-24–01–S–E–LM
    • T6-24–01–S–E–FH
    • T7-24–01–M–NE–CLM
    • T8-24–01–M–NE–CFHL
    • T9-24–01–M–NE–CLM
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.